Page 1 of 23

BID No. 02/20

REQUEST FOR PROPOSALS

FOR

CYBERSECURITY TOOLS AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES.

AMENDMENT 01

INTER-AMERICAN COMMITTEE AGAINST TERRORISM (CICTE)

SECRETARIAT FOR MULTIDIMENSIONAL SECURITY (SMS)

GENERAL SECRETARIAT OF THE ORGANIZATION OF AMERICAN STATES (GS/OAS) Department of Procurement Services

June 16, 2020

Page 2 of 23

TABLE OF CONTENTS

1. General Information 2. Objectives 3. Terms of Reference 4. Governing Law 5. RFP Schedule 6. Registration as a Vendor at the Official GS/OAS Procurement Notices

/Opportunities Portal 7. Bidders’ Inquiries 8. Proposal Closing Date 9. Proposal Submission Conditions and Requirements 10. Proposal Evaluation 11. General Provisions

Appendixes Appendix 1 Contractual Terms and Conditions Appendix 2 Acceptance of the Contractual Terms and Conditions Statement Appendix 3 Conflict of Interest Statement Appendix 4 Commercial References

Page 3 of 23

BID No. 02/20

REQUEST FOR PROPOSALS

FOR

CYBERSECURITY TOOLS AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES.

AMENDMENT 01

INTER-AMERICAN COMMITTEE AGAINST TERRORISM (CICTE)

SECRETARIAT FOR MULTIDIMENSIONAL SECURITY (SMS)

1. GENERAL INFORMATION

The Organization of American States (OAS) is a public international organization, with headquarters at 1889 F. St. N.W., Washington, D.C. 20006. The OAS brings together the nations of the Western hemisphere to promote democracy, strengthen human rights, foster peace, security and cooperation and advance common interests. For more information about the OAS, please refer to the OAS’s web site at www.oas.org. The General Secretariat of the OAS (GS/OAS) is the central and permanent organ of the OAS in accordance with Article 107 of the Charter.

The Secretariat for Multidimensional Security (SMS) of the General Secretariat of the

Organization of the American States (GS/OAS) promotes and coordinates cooperation among

the OAS member states and between them, the Inter-American system and other bodies in

the international system, in order to access, prevent, confront, and respond effectively to

threats to security, with a view of being the leading point of reference in the Hemisphere for

developing cooperation and capacity-building in the OAS Member States.

The Executive Secretariat for the Inter-American Committee against Terrorism (ES/CICTE)

assists member states in the design, implementation, and evaluation of national policies and

programs to prevent, combat, and eliminate terrorism and strengthen the antiterrorist

capabilities of Member States.

This request for proposals is solicited by the CICTE Executive Secretariat (ES/CICTE) in the context of the Implementation of a Cybersecurity Project in a Member State of the GS/OAS.

Page 4 of 23

2. OBJECTIVES To contract the following services, either jointly or separately, to provide cybersecurity tools and services for operations in a Member State of the OAS:

A) Contract an on cloud based SIEM solution to handle and unify data, collecting different security event sources across multiple logs, sources, endpoints, cloud services, feed service providers, and hosting platforms, in order to analyze the increasing amount of security data processed by a Member State of the GS/OAS. It is necessary to acquire a platform and ecosystem of services totally oriented to evaluate and support the incident handling operations. The service must be offered through a web portal and REST API connection point, and must cover all aspects of data management, including: acquisition, analysis / processing, indexing, application of statistical models and “Machine Learning”, storage, Custom Dashboard Management, and reports. In addition, it is required for the companies to present support to collect, analyze and present non-structure data.

B) Contract a service of non-intrusive scanning of internet-facing critical infrastructure based on request of Internet IP Address to know in real-time the cyber-exposure of a Member State of the GS/OAS’ critical infrastructure. This service will support and strength the Cyber Incident Response Team by managing a cyber-risk model at national level based in accurate and real time information.

C) Contract a Software as a Service (SaaS) with accurate cybersecurity events information. The aforementioned information should be based on passive scanning of internet traffic through isolated decoy systems with desired fake data (Honeypots) placed in thousands of locations around the world, as well as provide quantity and quality information about malicious traffics and activities originated from the country’s Cyberspace.

D) Contract a Vulnerability Management Solution able to provide capabilities to identify, categorize and manage vulnerabilities in limited scope of technology assets of a Member State of the GS/OAS. The solution should provide guides and recommendations to prioritize and mitigate possible risk exposure.

E) Contract a Web App Scanning Software able to provide automated vulnerability scanning in limited scope of modern web technologies of a Member State of the GS/OAS. The solution should provide custom reports and recommendations to prioritize and mitigate possible risk exposure.

F) Contract technological services able to provide customized hands-on training platform and virtual laboratories for Cybersecurity Specialists, Incident responders and Law enforcement agencies of a Member State of the GS/OAS. Platform should be flexible to organize different formats of training and exercises as a Capture the flag (Jeopardy, attack-Defense and mixed).

Page 5 of 23

3. TERMS OF REFERENCE SERVICE A

Cloud based SIEM solution to handle and unify data collecting different security event sources across multiple logs, sources, endpoints, cloud services, feed service providers and hosting platforms.

Capacity to consume a variety of data source format: (CSV, XML, JSON, Multi-line free text, etc.)

Must be able to operate in high availability (Clustering) environment and support cloud, multi cloud and hybrid environments. In this particular case, it is required as a cloud service (SaaS).

Service must be based on open source technology.

Service must have the availability to define flows (Playbooks) for Incident handling responses.

Service must have Endpoint Detection and Response (EDR) Capabilities.

Prevention of unsigned ransomware and malware artifacts.

Availability of Threat Hunting and automated response.

Security protection based on MITRE ATT&CK Framework

Unlimited forensic reviews features.

Platform must present a high scalability model, with elastic growing without affecting availability and performance of the services in production.

24x7 support (Phone and email)

Encryption of data in transit and stored.

Provide REST API capacities

Professional implementation services & Training for the use of service (2 attendees) Resources capacity:

ES Data Memory: Minimum128 GB

ES Data Storage: Minimum 3.75 GB

Total memory: Minimum 60 GB

Total Storage: Minimum 3.81 GB

Duration of Service: Minimum 1 year

Page 6 of 23

SERVICE B

Non-intrusive scanning of critical infrastructure based on Internet IP Address to know in real-time the cyber-exposure of a Member State critical infrastructure exposed in the cyberspace.

Service must be provided through a web portal and REST API

connection point.

Service must provide “search engine” capabilities during analysis

investigation.

Provide scan data for the entire IPV4 addresses space

Provide scan data for all the “banners” (service identifiers) of the IPv4

address space.

Provide scan data for digital certificates used in portal and web

services.

Data Index at least weekly.

Provide historical data access.

At least 50,000 queries to API per month.

Multiple users per account.

Structured language to perform queries.

Service must allow downloading of raw data that could be exported to

external data management platforms.

Possibility of request data through google big query.

24/7 support.

Use of cryptographic keys to access the REST API service.

Duration of Service: Minimum 1 year

SERVICE C

Passive scanning of internet traffic through isolated decoy systems with desired fake data (Honeypots) placed in thousands of locations around the world.

Service must be offered through a web portal and a REST API connection point.

Service must provide “search engine” capabilities during analysis investigation.

Able to discern between malicious traffic and opportunistic scanning carried out by massive scanners, commercial search engines, bots, worms, etc.

Service must have a structured language to perform queries.

Service must allow downloading of raw data that could be exported to external data management platforms.

Ability to acquire commercial rights to use the data (with attribution).

At least 50,000 queries to API per month

Page 7 of 23

Identification of compromised devices.

Allow to filter by services running in the honeypots nodes (For example: IoT nodes, cloud services nodes, remote services nodes, Critical infrastructure nodes, etc.)

Filtering and identification of possible false positives.

Ability to execute queries using ASN (Autonomous System Number), CIDR blocks (Classless inter-domain routing) and IP addresses.

API connection points in real time.

24/7 support (phone and email).

Use of cryptographic keys to access the REST API service.

Duration of service: Minimum 2 years

SERVICE D

Vulnerability management solution able to provide capabilities to identify, categorize and manage vulnerabilities in technology assets of a Member State of the GS/OAS.

Service must be offered through a web portal and a REST API

connection point.

It is required to have a simplified vulnerability management.

It should contain a detailed inventory, dashboards and reports that

clearly show the risk levels of the IT infrastructures that are being

monitored.

Able to schedule and repeat cybersecurity scans

Flexible licensing of scanned assets (an asset could have more than one

IP)

Ability to scale to unlimited number of assets to scan. Initially, the

ability to scan 150 assets is required.

Support different scanning options (passive monitoring, scanner agent

model, etc.)

Prioritization of vulnerabilities based on real risk. (Threat Intelligence

to data correlation)

Able to manage assets hosted in cloud infrastructures.

Allow to integrate with third-party applications. (Orchestration and

automation)

Provide multiuser access per accounts

Training to the staff specialists

24/7 support (phone and email).

Use of cryptographic keys to access the REST API service.

Duration of service: Minimum 2 years

Page 8 of 23

SERVICE E

Web App Scanning Software able to provide automated vulnerability scanning in modern web technologies of a Member State of the GS/OAS.

Service must be offered through a web portal and a REST API

connection point.

It is required to have a simplified and unified web scanning

management. It should contain a detailed of scanning tasks,

dashboards and reports that clearly show the risk levels of the web

application that are being scanned.

Able to schedule and repeat cybersecurity scans

Able to execute no-touch scans for continuous monitoring.

Highly performance scanning web applications developed in new web

technologies.

Ability to scale to unlimited number of assets to scan. Initially, the

ability to scan 20 assets is required.

Support different scanning options (passive monitoring, scanner agent

model, intensive scanning etc.).

Prioritization of vulnerabilities based on real risk. (Threat Intelligence

to data correlation)

Allow to integrate with third-party applications. (Orchestration and

automation)

Provide multiusers access per accounts.

Training to the staff specialists.

24/7 support (phone and email).

Use of cryptographic keys to access the REST API service.

Duration of service: Minimum 2 years

SERVICE F

Technological services able to provide customize hands-on training platform and virtual laboratories for Cybersecurity Specialists, Incident responders and Law enforcement agencies of a Member State of the GS/OAS.

1. Able to provide customize hands-on training platform and virtual

laboratories, for at least 400 cybersecurity specialists, Incident

responders and Law enforcement agencies of a Member State of the

GS/OAS.

2. Able to provide custom and continuous training on categories such as

networking, cryptography, web applications, exploiting, forensic

analysis, reverse engineering, incident handling, IoT, etc.

3. Platform will be flexible to organize exercises as a Capture the fFlag

(Jeopardy, attack-defense and mixed) at least two exercises by year.

4. It is required to adapt scenarios and metrics to the MITRE ATT&CK y

NICE Framework

Page 9 of 23

5. Provide permanent management, support and maintenance.

6. Duration of service: Minimum 1 year

4. GOVERNING LAW

This bidding process is regulated by:

a) This RFP. b) The Procurement Contract Rules of the GS/OAS, approved by Executive Order

No.00-1. https://www.oas.org/legal/english/gensec/Executive%20Order%2000-1.pdf

c) The Performance Contract Rules, approved by Executive Order No. 05-04,

Corr. No. 1. http://www.oas.org/legal/english/gensec/EXOR-05-04-CORR1.htm.

d) The Executive Orders, memoranda and other dispositions and official

documents of the GS/OAS applicable to this process.

5. RFP SCHEDULE The following schedule reflects the expected completion dates but may be modified by the GS/OAS at its sole discretion:

Issue Request for Proposals 06/10/2020

Bidder’s inquiries due 06/23/2020

Response to Bidder’s Inquiries Due 06/25/2020

Proposal Closing Date 06/30/2020

Contract Awards 07/14/2020

Expected Contracts Start Date TBD

6. REGISTRATION AS A VENDOR AT THE OFFICIAL GS/OAS PROCUREMENT NOTICIES/OPPORTUNITIES PORTAL

6.1 The GS/OAS will post this RFP and its appendices at the OAS website

(http://www.oas.org/OASpage/bid/default.asp), United Nations Development Business website (www.devbusiness.com), dgMarket website (www.dgmarket.com) and at the Official GS/OAS Procurement Notices/Opportunities Portal (https://oas.procureware.com/Bids), where companies interested in requesting clarification and/or bidding will need to register as a vendor. Please note that unfortunately, some servers or SPAM filters may block important messages or send them to your junk mail folder because they do not recognize the sender. To help ensure that you receive all emails and further notifications from OAS/ProcureWare, please ensure to add our e-mail address

Page 10 of 23

(“nonreply@procureware.com”) to your address book, contacts, and/ or "Safe Senders" list.

7. BIDDERS’ INQUIRIES

7.1 Bidders may submit any inquiry or request for more information and clarification

regarding terms of reference in this RFP until June 23, 2020 through the Official GS/OAS Procurement Notices/Opportunities Portal at https://oas.procureware.com/Bids. You must be registered to ask questions.

7.2 The responses to these requests will be submitted through the Official GS/OAS

Procurement Notices/Opportunities Portal directly to the email that you register with, until June 25, 2020.

8. PROPOSAL CLOSING DATE

8.1 Proposals shall be submitted through the GS/OAS Procurement Notices/Opportunities Portal at https://oas.procureware.com/Bids by June 30, 2020.

9. PROPOSAL SUBMISSION CONDITIONS AND REQUIREMENTS

9.1 Proposal Conditions 9.1.1 By submitting a Proposal, the Bidder gives express warranty of its knowledge

and acceptance of RFP and the rules and conditions that governs the bidding process. Likewise, the Bidder represents and warrants that it has studied and is thoroughly familiarized with the requirements and specifications of the Project in its entirety. This includes familiarity with the TORs and the Contract documents attached to the RFP, with all current equipment, labor, material market conditions, shipping and with applicable laws, such that the Bidder accepts responsibility for and is prepared to execute and shall completely fulfill all obligations under the contract.

9.1.2 By submitting a Proposal, Bidder gives express warranty of the accuracy and

reliability of all information it submits in this procurement process.

9.1.3 By submitting a Proposal, the Bidder gives express warranty of its knowledge that its Proposal does not create any right in or expectation to a contract with the GS/OAS.

9.1.4 The GS/OAS intends to contract the tools and services, either jointly or separately, to provide cybersecurity tools and services for operations in a member State of the OAS:

9.1.5 The Bidder shall bear any and all costs or expenses associated with or incurred

in the formulation or development of a Proposal in response to this RFP.

Page 11 of 23

9.2 Proposal Requirements

9.2.1 The Proposals shall be signed by the Bidder’s legal representative.

9.2.2 Any firm may bid independently or in joint venture confirming joint and several liability, either with domestic firms and/or with foreign firms. The GS/OAS does not accept conditions of bidding which require mandatory joint ventures or other forms of mandatory association between firms. If the Bidder plans to perform the work with subcontractors and/or in joint venture with other firms, an explanation of the relationship between the firms and how potential inefficiencies in the organization, communications, and Project processes can be avoided. If the form of a joint venture is considered, the Technical Proposal should additionally address joint and other liabilities for all partners.

9.2.3 The proposal will be divided into three (03) sections:

9.2.3.1 Section 1: Technical Proposal: The Technical Proposal shall include the following information/documents:

Documents related to Bidders’ Experience

a) A general description of the background and organization of the bidding firm.

b) A detailed description of the Bidder’s work experience similar or relevant to this Project. The description shall substantiate its qualifications and capabilities to satisfy the requirements of the RFP.

c) A minimum of five (5) references from Bidder’s clients to which similar or relevant services were provided during the last three (3) years. These references should include the name of the client, contact person, telephone and fax numbers and e-mail address, and a description of the work performed and the duration of the Project. Please follow Appendix 4.

Documents related to the Project

d) A Statement of Work (SOW), which shall include a description of the basic infrastructure and associated professional services offered, implementation methodology, deliverables, and an estimated timeline for delivery of the requested services (milestones), in accordance with the TORs, Section 3 of this RFP.

e) If the Bidder plans to perform the work with subcontractors and/or in joint venture with other firms, an explanation of the relationship between the firms and how potential inefficiencies in the organization, communications, and Project processes can be avoided. If the form of a joint venture is considered, the Technical Proposal should additionally

Page 12 of 23

address joint and other liabilities for all partners.

Documents related to the Contract

f) Copies of all standard documentation required. This includes but is not limited to the Master Agreement, guarantees, etc.

g) Bidders wishing to negotiate modification of the Contractual Terms and Conditions the GS/OAS stated in Appendix 1 of this RFP must attach a copy of the GS/OAS’s RFP and show proposed changes (deleted sections with a strike over and added sections in boldface type). Bidder’s failure to identify any such changes in its Proposal will preclude the Bidder from raising any such changes thereafter. If Proposals are subject to additional terms, that the GS/OAS decides are not in its best interest, the GS/OAS reserves the right to deem that Proposal as unresponsive.

Bidder’s Point of Contact

h) Information of Bidder’s point(s) of contact. Provide the name, position, telephone number and email of the person or persons serving as coordinators or focal points of information of the Bidder concerning this bidding process.

9.2.3.2 Section 2: Price Proposal: The Bidders shall submit a Price Proposal expressed in United States Dollars (USD)

9.2.3.3 Section 3: Legal Documentation

a) a copy of the contractor's license to do business in the corresponding jurisdiction (if required under the laws of the duty station where the work is to be performed),

b) the certificate of incorporation (Articles of Organization if a Limited Liability Company (LLC)),

c) the bylaws (the Operating Agreement if a LLC), d) a list of the directors (managers if a LLC), officers, and the names

of any stockholder with more than 50% of the stock (a list of all members if a LLC),

e) the latest annual report, f) the financial statements for the last three years of operation, g) If the entity is a partnership, the entity shall provide a list of the

general partners.

9.3 Limited Use of Data

9.3.1 If the Proposal includes data that the Responder does not want to disclose to the public for any purpose or used by the GS/OAS except for evaluation purposes, the Responder shall include in its Proposal a statement signed by its legal representative with the following legend:

Page 13 of 23

USE AND DISCLOSURE OF DATA This Proposal includes data that shall not be disclosed outside the GS/OAS and shall not be duplicated, used, or disclosed— in whole or in part—for any purpose other than to evaluate this Proposal. If, however, a contract is awarded to this Bidder as a result of—or in connection with—the submission of this data, the GS/OAS shall have the right to duplicate, use, or disclose the data to the extent provided in the resulting contract. This restriction does not limit the GS/OAS' right to use information contained in this data if it is obtained from another source without restriction. The data subject to this restriction are contained in sheets [insert numbers or other identification of sheets].

10. PROPOSAL EVALUATION

10.1 Requests for Clarifications

10.1.1 In order to enhance the GS/OAS understanding of Proposals, allow reasonable interpretation of the Proposal, or facilitate the evaluation process, the GS/OAS may submit, in writing, any inquiry or request to the Bidders for explanation, substantiation or clarification of certain aspects of its Proposals. Such requests will be addressed to the point of contact indicated by the Bidders in their Proposal.

10.1.2 Likewise, during the evaluation process, the GS/OAS may offer the Bidders an opportunity to eliminate minor irregularities, informalities, or apparent clerical mistakes in its Proposals.

10.1.3 Requests for clarifications shall not be used to cure Proposal deficiencies or material omissions that materially alter the technical or cost elements of the Proposal, and/or otherwise revise the Proposal. Information provided by the Bidder that was not expressly solicited by the GS/OAS through a request for clarification will not be considered during the evaluation.

10.2 Evaluation Process

10.2.1 The evaluation of the Proposals will be performed as a whole, in two (2) phases: Technical Evaluation and Price Evaluation. The purpose of the Technical Evaluation is to analyze and evaluate the Technical Proposal, and the purpose of the Price Evaluation is to analyze and evaluate the price offered.

10.2.2 Proposals will be admitted for evaluation only if they comply with the mandatory minimums contained in the TORs (Section 3 of this RFP). Once

Page 14 of 23

admitted, the GS/OAS shall analyze and rate those Proposals using the evaluation factors set forth in paragraph 10.3

10.2.3 The tradeoff analysis decisional rule will be applied for the evaluation of the Proposals. Under this rule, the GS/OAS will evaluate both price and non-price factors and will award the Contract to the Bidder proposing the combination of factors which offers best value to the GS/OAS. Therefore, the GS/OAS reserves the right to consider award to other than the lowest price bidder or the highest technically rated bidder.

10.3 Discussions and Negotiations

10.3.1 Before awarding the Contract, the GS/OAS may choose to negotiate the terms, conditions and deliverables of the Contract with the Bidders that, in the opinion of GS/OAS, are within the competitive range. After the negotiations, the GS/OAS will issue a request for Best and Final Offer (BAFO) so those Bidders will have the opportunity to revise or modify its initial Proposal.

10.4 Award Criteria

10.4.1 The GS/OAS will review, evaluate, and compare all Proposals according to, but not necessarily limited to, the following criteria:

Technical Criteria: a) Responsiveness: Whether the Bidder’s Technical Proposal conforms in

all material respects to the RFP. b) Relevant Experience / Past Performance: Bidder’s relevant experience

and past performance will be evaluated in respect to past or current efforts similar or relevant to this Project.

c) Statement of Work (SOW): Assesses the completeness of the Proposal in order to determine timely performance and technical compliance. Assesses the work methodology, as well as the tools and procedures presented by the Bidder, to achieve the objectives of this Project.

d) Experience and Qualification of the Project Manager: Assesses the qualifications and relevant experience of the Project Manager that the Bidder proposes to assign to this transaction.

e) References Check: The GS/OAS will request performance information from Bidder’s previous clients.

f) Financial Capability: Assesses the financial condition of the Bidder to perform the contract through the review of the Bidder’s financial statements.

Page 15 of 23

g) Schedule Compliance. Analyses the ability of the Bidder to comply with the required performance schedule.

Price Criteria: h) Price Proposal.

10.4.2 This RFP does not in any manner whatsoever constitute a commitment or obligation on the part of GS/OAS to accept any Proposal, in whole or in part, received in response to this RFP, nor does it constitute any obligation by GS/OAS to acquire any goods or services.

10.4.3 The GS/OAS reserves the right to award the contract to multiple contractors rather than a single contractor.

10.4.4 The GS/OAS reserves the right to reject any or all Proposals, and to partially award the Contracts.

10.4.5 The award will be notified to the winning Bidder(s). Such communication

shall not be construed as a Contract with the GS/OAS. The award is contingent upon the winning Bidder’s acceptance of the terms and conditions of the proposed Contract, which will be drafted by the GS/OAS based on this RFP and the winning Proposal. Consequently, the Contract shall come into effect when signed by both GS/OAS and the duly authorized representative.

11. GENERAL PROVISIONS

11.1 Privileges and Immunities

11.1.1 Nothing in this RFP shall constitute an express or implied agreement or waiver by the GS/OAS, the OAS, or their personnel of their privileges and immunities under the OAS Charter, the laws of the United States of America, or international law.

11.1.2 The Bidders are not entitled to any of the exemptions, privileges or immunities, which the GS/OAS may enjoy arising from GS/OAS status as a public international organization.

11.2 Due Diligence and Information on the Contract

11.2.1 By submitting a Proposal, the Bidder represents and warrants that it has studied and is thoroughly familiarized with the requirements and specifications of the Contract in their entirety. This includes familiarity with

Page 16 of 23

the Contract Documents attached to the RFP, with all current equipment, labor, material market conditions, and with applicable laws, such that the Bidder accepts responsibility for and is prepared to execute and shall completely fulfill all obligations under the Contract.

11.2.2 By submitting a Proposal, the Bidder also accepts that it will not make any claim for or have any right to damages because of any misinterpretation or misunderstanding of the Contract, or because of any information which is known or should have been known to the Bidder.

Page 17 of 23

APPENDIX 1

CONTRACTUAL TERMS AND CONDITIONS 1. Contractor is neither an employee nor a staff member of GS/OAS and is not entitled to

any of the rights, benefits, and emoluments of GS/OAS staff members. 2. Contractor undertakes to perform Contractor’s functions under this Contract and to

regulate Contractor’s conduct in conformity with the nature, purposes, and interests of the GS/OAS. Contractor shall complete the Work in accordance with the highest professional standards and shall conform to all governmental pertinent laws and regulations.

3. Contractor accepts full legal responsibility for the Work, including all liability for any damages or claims arising from it, and agrees to hold GS/OAS and its staff members harmless from all such damages or claims. Contractor shall provide certificates of insurance coverage as GS/OAS may require for proof of ability to cover such liability.

4. Contractor does not legally represent GS/OAS, shall not hold himself out as having such powers of representation, and shall not sign commitments binding GS/OAS.

5. Contractor shall not have any title, copyright, patent, or other proprietary rights in any Work furnished under this Contract. All such rights shall lie with GS/OAS. At the request of GS/OAS, the Contractor shall assist in securing the intellectual property rights produced under this Contract and in transferring them to GS/OAS.

6. All information (including files, documents, and electronic data, regardless of the media it is in) belonging to GS/OAS and used by Contractor in the performance of this Contract shall remain the property of GS/OAS. Unless otherwise provided in the Terms of Reference and Technical Specifications (Appendix I and II), Contractor shall not retain such information, and copies thereof beyond the termination date of this Contract, and Contractor shall not use such information for any purpose other than for completion of the Work.

7. Administrative Memorandum No. 120 "Information Security Policy” and Executive Order No. 15-02 “Policy and Conflict Resolution System for Prevention and Elimination of All Forms of Workplace Harassment” are readily available at http://www.oas.org/legal/intro.htm. Contractor certifies that he has read those documents and agrees to comply fully with them.

8. The Gross Compensation paid Contractor constitutes full consideration for the Work. It covers all fees, expenses, and costs incurred by Contractor in providing the Work, as well as Contractor's direct compensation for same.

9. Because Contractor is an independent contractor, GS/OAS is not responsible for providing social security, workmen's compensation, health, accident and life insurance, vacation leave, sick leave, or any other such emoluments for Contractor and his employees under this Contract. Contractor is solely responsible for providing those benefits, and the Parties have agreed upon the Gross Compensation hereunder to enable Contractor to satisfy that responsibility. At the request of GS/OAS, the Contractor will provide satisfactory evidence of workman's compensation and other insurance coverage that may be required for all its employees or such Contractors.

10. Contractor warrants that his performance of the Work will not violate applicable immigration laws, and Contractor shall not employ any person for the performance of this Contract where such employment would violate those laws.

Page 18 of 23

11. Unless otherwise specified in this Contract, Contractor shall have the sole responsibility for making Contractor’s travel, visa, and/or customs arrangements related to and/or required for the performance of this Contract, and GS/OAS shall have no responsibility for making or securing such arrangements.

12. This Contract shall be null and void in the event the Contractor is unable to obtain a valid visa and other permits or licenses necessary to complete the Work in the country where the Contract is to be performed.

13. Unless otherwise specified in this Contract, Contractor shall neither seek nor accept instructions regarding the Work from any government or from any authority external to the GS/OAS. During the period of this Contract, Contractor may not engage in any activity that is incompatible with the discharge of Contractor’s obligations under this Contract. Contractor must exercise the utmost discretion in all matters of official business for GS/OAS. Contractor may not communicate at any time to any other person, government, or authority external to GS/OAS any information known to him by reason of his association with GS/OAS which has not been made public, except in the course of the performance of Contractor’s obligations under this Contract or by written authorization of the Secretary General or his designate; nor shall Contractor at any time use such information to private advantage. These obligations do not lapse upon Contract termination. Failure to comply with these obligations is cause for termination of this Contract.

14. Unless specifically provided for in this Contract1 in accordance with CPR Rule 5.13.1, the Contractor may not directly supervise a GS/OAS staff member or direct a project or mission that requires the Contractor to supervise GS/OAS staff members.

15. Contractor shall not openly participate in campaign activities for or otherwise openly support and or promote any candidate for elected positions in the OAS; nor shall Contractor use the facilities of the GS/OAS and/or its staff provided to him under this Contract to support and promote the candidacy of any candidate for an elected position in the OAS.

16. GS/OAS may terminate this Contract for cause with five days notice in writing to the Contractor. Cause includes, but is not limited to: failure to complete the Work in accordance with professional standards or to otherwise deliver conforming goods and services; failure to meet deadlines; conduct which damages or could damage relations between the OAS and a member state; fraudulent misrepresentation; criminal indictment; sexual harassment; workplace harassment; bankruptcy; conduct incommensurate with the requirements for participation in OAS activities; and breach of any of the provisions of this Contract.

17. Either party may terminate this Contract for unforeseen circumstances by giving at least thirty days notice in writing to the other. Unforeseen circumstances include, but are not limited to, modifications to the Program-Budget of the OAS; lack of approved funds in the OAS Program-Budget for the corresponding program or project; failure of a donor to provide fully the specific funds which were to finance this Contract; an act of God; and the Secretary General’s or a member state's desire to discontinue the Work.

18. In the event this Contract is terminated with or without cause, Contractor shall submit to GS/OAS all of the Work completed and shall receive payment for only that portion of the Work completed to the satisfaction of GS/OAS up until the date of termination.

19. Contractor certifies that:

1 Any such provision must comply with the requirements of CPR Rule 5.13.1 in Executive Order No. 05-04, Corr. No. 1 at http://www.oas.org/legal/english/gensec/EXOR0504CORR1.doc.

Page 19 of 23

a) Neither the Contractor nor any of its senior officers and employees, on the date of the signing of this Contract, is a relative of any GS/OAS staff member above the P-3 level or of a representative or delegate to the OAS from an OAS Member State. The term “relative” includes spouse, son or daughter, stepson or stepdaughter, father or mother, stepfather or stepmother, brother or sister, half brother or half sister, stepbrother or stepsister, father or mother-in-law, son or daughter-in-law, brother or sister-in-law.

b) He is not incompetent to enter into this Contract, is not on trial in a criminal court of any of the member states, and has never been convicted of a felony or of any crime involving dishonesty, fraud or theft in any member state.

c) Completion of the Work shall not interfere with the completion of work for which he is responsible under any other contract with GS/OAS.

20. Contractor shall not employ a staff member of GS/OAS or a relative of a staff member as defined in Paragraph 19 (a) above to perform the Work, nor shall Contractor permit any staff member of GS/OAS or any relative of the staff member, as defined in that Paragraph, to receive any personal financial benefit deriving from this Contract or the Contractor's contractual relationship with GS/OAS.

21. Contractor shall not assign this Contract or any element thereof, without the prior written consent of GS/OAS.

22. Upon written notice by either Party to the other, any dispute between the Parties arising out of this Contract may be submitted to either the Inter-American Commercial Arbitration Commission or the American Arbitration Association, for final and binding arbitration in accordance with the selected entity’s rules. The law applicable to the Arbitration proceedings shall be the law of the District of Columbia, USA, and the language of the arbitration shall be English.

23. Nothing in this Contract constitutes an express or implied waiver by GS/OAS of its privileges and immunities under the laws of the United States of America or international law.

24. This Contract shall enter into effect on the date on which it is signed by both Parties. Provided, further, that this Contract shall have no legal effect until it has been signed by both Contractor and a duly authorized representative of the GS/OAS.

25. The law applicable to this Contract is the law of the District of Columbia, USA. 26. This Contract, including Appendixes 1-4, constitutes the entire agreement between the

Parties, and any representation, inducement, or other statements not expressly contained herein shall not be binding on the Parties and shall have no legal effect.

27. The masculine terms employed in this Contract should be understood to apply to males, females and legal persons; singular pronouns should be understood to apply to the plural, when appropriate.

Page 20 of 23

APPENDIX 2

ACCEPTANCE OF THE CONTRACTUAL TERMS AND CONDITIONS STATEMENT

General Secretariat of the Organization of American States 1889 F Street, N.W. Washington, D.C. 20006 USA

Attention: Department of Procurement Services

Subject: BID No. 02/20 CYBERSECURITY TOOLS AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES

I ____________________, representative of ___________________ (Bidder’s name),

declare that ______________ (Bidder’s name) has read, understood and accepted the

Contractual Terms and Conditions as per Appendix 2 of the Request of Proposals of the BID

XX/20.

Sincerely,

____________________________

Signature of Legal Representative

Name:

Page 21 of 23

APPENDIX 3

CONFLICT OF INTEREST STATEMENT

General Secretariat of the Organization of American States 1889 F Street, N.W. Washington, D.C. 20006 USA

Attention: Department of Procurement Services

Subject: BID No. 02/20 CYBERSECURITY TOOLS AND SERVICES FOR OPERATIONS IN A MEMBER STATE OF THE ORGANIZATION OF AMERICAN STATES

I ____________________, representative of ___________________ (Bidder’s name),

declare that ______________ (Bidder’s name) does not fall under the following prohibitions:

a) A staff member of GS/OAS;

b) Any person who has held the post of Secretary General or Assistant Secretary General, or a position of trust unless the contract is approved by the Secretary General or the Chief of Staff of the Secretary General;

c) Any delegate, diplomatic representative, or other government employee of an OAS Member State;

d) Any relative of a GS/OAS staff member above the P-3 level or a relative of any other GS/OAS staff member who has authority to issue the subject contract;

e) Any relative of a representative or delegate of a Member State to the OAS;

Page 22 of 23

f) Any person who has entered into a performance contract terminated by GS/OAS for cause under Chapter 8 of the Performance Contract Rules;

g) Any person employed by an institution that is receiving funds from the GS/OAS as part of a GS/OAS project, except in those cases where the employee is on leave without pay from that institution;

h) Any person who is legally incompetent; any person who is on trial in a criminal court of any OAS Member State; or any person convicted of a serious criminal offense in one of the Member States;

i) Any person who has defaulted on and/or failed to perform satisfactorily an existing or previous performance contract or procurement contract with GS/OAS;

j) Any person who does not have a valid visa to work in the country where the performance contract is to be performed and who cannot obtain one prior to the contract initiation date;

k) Any elected official of an OAS Organ, unless the performance contract is not for or in relation to the organ on which the official serves.

Sincerely,

____________________________

Signature of Legal Representative

Name:

Page 23 of 23

APPENDIX 4

COMERCIAL REFERENCES

Nº

Name and Address

of the Company

Point of Contact

Telephone and E-mail

Description of

the Work

Duration of

the Project

(mm/yyyy

–

mm/yyyy)

1

2

3

4

5